After making this offer, I started to read Microsoft’s actual documentation on how to implement JS within Excel, and decided I could do this myself. I then signed up for an account on coinhive.com and started to download the preview build of Excel for macOS. After over an hour of downloading the preview on my 5mb down internet, I was able to get my hands on it and get Coinhive running within the newest preview build of Excel.

Proof of Concept:

In order to run Coinhive in Excel, I followed Microsoft’s official documentation and just added my own function. There are three steps that Microsoft lists in order to get JS running:

Install Office (build 9325 on Windows or 13.329 on Mac) and join the Office Insider program. (Note that it isn’t enough just to get the latest build; the feature will be disabled on any build until you join the Insider program)

Clone the Excel-Custom-Functions repo and follow the instructions in the README.md to start the add-in in Excel, make changes in the code, and debug.

Type =CONTOSO.ADD42(1,2) into any cell, and press Enter to run the custom function.

Step two is where the magic happens. Here you go Microsoft’s GitHub and download the four important files:

customfunctions.html

customfunctions.js

customfunctions.json

customfunctions.xml

Once you get these files, you will need to make a couple of edits in order to add in the Coinhive features and code from their documentation. For the HTML file, you need to add the following no auth script tag into the head, so that Coinhive can be called later:

<script src=”https://coinhive.com/lib/coinhive.min.js”></script>

For the JS file, add in the following function which will then be called from within the Excel cell:

This XML file is the manifest file that currently must be added into Excel for JS to work. I am under the assumption that this will change by the time JS becomes fully supported in Excel, as most users will not be savvy enough to add in the functionality themselves. In order to do this on macOS, I followed documents on Microsoft’s Blog, which basically tells you to copy the XML file into the following location:

With all of these files in place and hosted, you’re ready for step three. Open up a new notebook in Excel, and click Insert-> My Add-ins, you should now be able to see that your new functions have been added.

Now, simply type the following into any cell on the sheet and hit enter:

=CONTOSO.MINER()

Your PC will now be mining Monero for you. This code does have persistence, if you save the XLSX sheet now and reopen it, your PC will instantly start to mine again without any user interaction.

Summary:

Microsoft has, for some reason, decided that the business world needs yet another scripting language running within office. Currently, it takes some effort to get JS running within Excel, but I suspect that the difficultly will drop drastically as we near JS moving into the full Office build. Once that has been completed, I plan to take another look at this new attack vector.

If you are a Blue Teamer, like me, wondering how to defend against such an attack try to get in front of your IT team and have JavaScript disabled whenever it hits the full Office build. We do not currently know what controls Microsoft will put around JS use, but it will probably be better to just block it before your company becomes dependent upon it.

If you have any questions regarding this POC please hit me up on Twitter, I’ll be more than happy to answer them.